search

UncleSocks / onyx-caaat-automated-cisco-configuration-assessment-and-auditing-tool

ONYX: Cisco Automated Assessment and Auditing Tool (CAAAT). An open-source tool that automatically assesses and audits Cisco IOS routers against Center for Internet Security (CIS) Cisco IOS 15 Benchmark and Cisco IOS 17 Benchmark.
MIT License
11 stars 2 forks source link

False positives with CIS Benchmark IOSXE 17 defaults (e.g. 2.1.4 Set no service dhcp) #9

Open grotewortel opened 3 months ago

grotewortel commented 3 months ago

Hi, I have a problem with CIS Benchmark 2.1.4 Set 'no service dhcp' (Automated) It looks like the benchmark is a bit naive and the defaults of Cisco of showing dhcp service has changed somewhere in time.

The CIS benchmark states this:

Audit:
Perform the following to determine if the DHCP service is enabled: 
Verify no result returns 
hostname#show run | incl dhcp

There are 2 problems with this. First of all, no service dhcp shows up in the output, where the benchmark expects it to be empty.

router1#show run | incl dhcp
no service dhcp
 ip address dhcp

Secondly, virtual cloud based routers may have an IP address assigned by DHCP. This is the second dhcp occurency in the output above and will result in failure of the check also.

router1#show run interface gigabitEthernet 1
!
interface GigabitEthernet1
 ip address dhcp
end

The good news is, only the check from the CIS benchmark is incomplete. The benchmark is fortunately quite clear about the expected configuration. The configuration is correct, but the check is not.

One of the following command can be used to check the configuration and will probably be more version independent:

router1#show running-config all | include service dhcp
no service dhcp
router1#show running-config all | include no service dhcp
no service dhcp

I am using a virtual Cisco 8000V with IOS XE 17.13.1a

Please advise.

Thanks, Jan

grotewortel commented 3 months ago

The CIS benchmark for no service dhcp has a reference link to an IOS 16 document. I expect the actual verification commands were not updated for IOSXE 17. There are more problems. These are some fixes for the issues I identified so far. They still check what the CIS benchmark requires to be done, so not changes there.

audit_ios17.py / no service dhcp

    # general_parsers.compliance_check_with_expected_empty_output(connection, "show running-config | include dhcp", "2.1.4 Set 'no service dhcp'", 1, global_report_output)
    general_parsers.compliance_check_with_expected_output(connection, "show running-config all | include no service dhcp$", "2.1.4 Set 'no service dhcp'", 1, global_report_output)

audit_ios17.py / no ip identd

    # general_parsers.compliance_check_with_expected_empty_output(connection, "show running-config | include identd", "2.1.5 Set 'no ip identd'", 1, global_report_output)
    general_parsers.compliance_check_with_expected_output(connection, "show running-config all | include no ip identd", "2.1.5 Set 'no ip identd'", 1, global_report_output)

audit_ios17.py / no service pad

    # general_parsers.compliance_check_with_expected_empty_output(connection, "show running-config | include service pad", "2.1.8 Set 'no service pad'", 1, global_report_output)
    general_parsers.compliance_check_with_expected_output(connection, "show running-config all | include no service pad$", "2.1.8 Set 'no service pad'", 1, global_report_output)
grotewortel commented 2 months ago

Some more:

audit_ios17.py / no ip bootp server

    # general_parsers.compliance_check_with_expected_empty_output(connection, "show running-config | include bootp", "2.1.3 Set 'no ip bootp server'", 1, global_report_output)
    general_parsers.compliance_check_with_expected_output(connection, "show running-config all | include no ip bootp server$", "2.1.3 Set 'no ip bootp server'", 1, global_report_output)

audit_ios17.py / no ip source-route

    # routing_parsers.compliance_check_source_route(connection, "show running-config | include ip source-route", "3.1.1 Set 'no ip source-route'", 1, global_report_output)
    routing_parsers.compliance_check_source_route(connection, "show running-config all | include no ip source-route", "3.1.1 Set 'no ip source-route'", 1, global_report_output)
UncleSocks commented 2 months ago

Hi Jan,

I'll look into this sometime next week. Although the tool is very agnostic to the benchmark document command recommendation, I do agree they have some mishaps. I'll run through your recommendations on my lab next week.

UncleSocks commented 1 month ago

Hi Jan,

Sorry for the delayed fix -- I've been busy studying for a certification exam. I've patched the script with your recommendations. It should now accurately detect the specified services. The expected empty output parser is also modified to handle the "no" prefix properly.

def compliance_check_with_expected_empty_output(connection, command, cis_check, level, global_report_output):
    command_output = ssh_send(connection, command)
    if not command_output:
        compliant = True

    elif command_output.split(" ")[0].lower() == "no":
        compliant = True

Thank you for the fix recommendations. I've added you to the README "Special Thanks To" section for your contributions :D I really appreciate it.